Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Jamf Protect - Alerts

Back
Id6098daa0-f05e-44d5-b5a0-913e63ba3179
RulenameJamf Protect - Alerts
DescriptionCreates an incident based on Jamf Protect Alert data in Microsoft Sentinel
SeverityHigh
Required data connectorsJamfProtect
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
Version1.0.6
Arm template6098daa0-f05e-44d5-b5a0-913e63ba3179.json
Deploy To Azure
jamfprotectalerts_CL
| extend
    algorithm = "SHA256",
    Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
    Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
    Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
    Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
    JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
entityMappings:
- fieldMappings:
  - columnName: DvcHostname
    identifier: HostName
  - columnName: DvcOs
    identifier: OSFamily
  - columnName: DvcOsVersion
    identifier: OSVersion
  entityType: Host
- fieldMappings:
  - columnName: Host_IPs
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: TargetProcessCurrentDirectory
    identifier: CommandLine
  - columnName: TargetProcessId
    identifier: ProcessId
  entityType: Process
- fieldMappings:
  - columnName: algorithm
    identifier: Algorithm
  - columnName: TargetBinarySHA256
    identifier: Value
  entityType: FileHash
severity: High
name: Jamf Protect - Alerts
relevantTechniques: 
version: 1.0.6
requiredDataConnectors:
- dataTypes:
  - jamfprotectalerts_CL
  connectorId: JamfProtect
kind: NRT
suppressionDuration: PT5H
suppressionEnabled: false
tactics: 
alertDetailsOverride:
  alertTacticsColumnName: Tactics
  alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
  alertDynamicProperties:
  - value: EventVendor
    alertProperty: ProviderName
  - value: EventProduct
    alertProperty: ProductName
  - value: Techniques
    alertProperty: Techniques
  alertSeverityColumnName: EventSeverity
  alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
status: Available
query: |
  jamfprotectalerts_CL
  | extend
      algorithm = "SHA256",
      Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
      Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
      Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
      Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
      JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")  
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    reopenClosedIncident: false
    enabled: false
  createIncident: true
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
customDetails:
  Related_Binaries: TargetBinaryFilePath
  Protect_Event_Type: EventType
  Related_File_hash: TargetBinarySHA256
  Protect_Tags: Tags
  TargetBinarySigner: TargetBinarySigningTeamID
  Protect_Analytic: EventMessage
  TargetBinarySignMsg: TargetBinarySigningInfoMessage
  JamfPro_Status: JamfPro
  TargetbinarySign: TargetbinarySignerType
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
    'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{EventResultMessage}} - Please investigate",
          "alertDisplayNameFormat": "{{EventMessage}} detected on {{DvcHostname}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProviderName",
              "value": "EventVendor"
            },
            {
              "alertProperty": "ProductName",
              "value": "EventProduct"
            },
            {
              "alertProperty": "Techniques",
              "value": "Techniques"
            }
          ],
          "alertSeverityColumnName": "EventSeverity",
          "alertTacticsColumnName": "Tactics"
        },
        "alertRuleTemplateName": "6098daa0-f05e-44d5-b5a0-913e63ba3179",
        "customDetails": {
          "JamfPro_Status": "JamfPro",
          "Protect_Analytic": "EventMessage",
          "Protect_Event_Type": "EventType",
          "Protect_Tags": "Tags",
          "Related_Binaries": "TargetBinaryFilePath",
          "Related_File_hash": "TargetBinarySHA256",
          "TargetbinarySign": "TargetbinarySignerType",
          "TargetBinarySigner": "TargetBinarySigningTeamID",
          "TargetBinarySignMsg": "TargetBinarySigningInfoMessage"
        },
        "description": "'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'\n",
        "displayName": "Jamf Protect - Alerts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DvcHostname",
                "identifier": "HostName"
              },
              {
                "columnName": "DvcOs",
                "identifier": "OSFamily"
              },
              {
                "columnName": "DvcOsVersion",
                "identifier": "OSVersion"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "Host_IPs",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "TargetProcessCurrentDirectory",
                "identifier": "CommandLine"
              },
              {
                "columnName": "TargetProcessId",
                "identifier": "ProcessId"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "algorithm",
                "identifier": "Algorithm"
              },
              {
                "columnName": "TargetBinarySHA256",
                "identifier": "Value"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml",
        "query": "jamfprotectalerts_CL\n| extend\n    algorithm = \"SHA256\",\n    Host_IPs = tostring(parse_json(DvcIpAddr)[0]),\n    Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),\n    Tactics = case(input.match.tags has \"Execution\", \"Execution\", input.match.tags has \"Visibility\", \"Visibility\", input.match.tags has \"Persistence\", \"Persistence\", input.match.tags has \"LateralMovement\", \"LateralMovement\", input.match.tags has \"CredentialAccess\", \"CredentialAcccess\", input.match.tags has \"DefenseEvasion\", \"DefenseEvasion\", input.match.tags has \"PrivilegeEscalation\", \"PrivilegeEscalation\", input.match.tags has \"Impact\", \"Impact\", input.match.tags has \"CommandAndControl\", \"CommandandControl\", input.match.tags has \"Discovery\", \"Discovery\", input.match.tags has \"InitialAccess\", \"InitialAccess\", \"\"),\n    Techniques = pack_array(extract(@\"[A-Za-z]\\d{4}\", 0, tostring(input.match.tags))),\n    JamfPro = case(input.match.actions has \"SmartGroup\", \"Workflow with Jamf Pro\", input.match.actions has \"Prevented\", \"No workflow, Prevented by Protect\", \"No workflow\")\n",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": null,
        "techniques": null,
        "templateVersion": "1.0.6"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}